summaryrefslogtreecommitdiffstats
path: root/ipa-client/man
Commit message (Collapse)AuthorAgeFilesLines
* Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.confRob Crittenden2012-03-141-1/+33
| | | | | | | | | Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810
* Add --noac option to ipa-client-install man pageRob Crittenden2012-03-041-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2369
* Implement session activity timeoutJohn Dennis2012-02-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-131-0/+6
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-131-0/+3
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* add session manager and cache krb authJohn Dennis2012-02-091-7/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Fix ipa-client-install -U option alignmentMartin Kosek2011-10-141-0/+1
|
* Document --preserve-sssd option of ipa-client-installAlexander Bokovoy2011-10-141-0/+9
| | | | | | | | | | | Add documentation about --preserve-sssd, an ipa-client-install's option to honor previously available SSSD configuration in case it is not possible to merge it cleanly with the new one. In this case ipa-client-install will fail and ask user to fix SSSD config before continuing. Additional fix for https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-111-1/+4
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Improve ipa-join man pageMartin Kosek2011-09-071-1/+12
| | | | | | Make it clear in man pages that ipa-join -u does not remove keytab. https://fedorahosted.org/freeipa/ticket/1317
* Improve man pages structureMartin Kosek2011-09-075-29/+38
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Modify /etc/sysconfig/network on a client when IPA manages hostnameAlexander Bokovoy2011-07-291-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/1368
* Configure SSSD to store user password if offline.Jan Cholasta2011-07-141-0/+3
| | | | ticket 1359
* Consolidate man pages and IPA tools helpMartin Kosek2011-05-121-7/+7
| | | | | | | | IPA tools options are not consistent with information in man pages. https://fedorahosted.org/freeipa/ticket/1163 https://fedorahosted.org/freeipa/ticket/1178
* Bad return values for ipa-rmkeytab commandMartin Kosek2011-05-031-1/+1
| | | | | | | | | ipa-rmkeytab returns success even when the realm passed to the program is not found in a keytab. This patch adds an explanatory error message and returns error code 5 - Principal or realm not found. https://fedorahosted.org/freeipa/ticket/694
* Suppress --on-master from ipa-client-install command-line and man page.Rob Crittenden2011-04-121-3/+0
| | | | | | | | This option is only used when configuring an IPA client on an IPA server. Describing it on the command-line will only confuse people so don't list it as an option. Ticket 1050
* Add man page for the IPA configuration fileRob Crittenden2011-02-232-2/+187
| | | | ticket 969
* Document --enable-dns-updates in ipa-client-install man pageJakub Hrozek2011-02-211-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/991
* Fixes in ipa-join man pageJan Zeleny2011-02-181-4/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/784 https://fedorahosted.org/freeipa/ticket/786 https://fedorahosted.org/freeipa/ticket/787
* Fix a typo in ipa-client-install man pageJan Zeleny2011-02-151-1/+0
| | | | https://fedorahosted.org/freeipa/ticket/782
* Add an option for overriding the hostname value.Rob Crittenden2011-01-261-0/+3
| | | | Ticket 834
* Unchecked return values in ipa-joinMartin Kosek2011-01-121-0/+2
| | | | | | | | | | | krb5_get_default_realm() and asprintf() return values were ignored. This could lead to unhandled error issues or memory access issues. This patch adds return value checks to all such functions. As a consequence, one new return value has been added to man page. https://fedorahosted.org/freeipa/ticket/720
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-204-24/+24
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fixing typos in man page of ipa-getkeytabGowrishankar Rajaiyan2010-12-201-2/+2
|
* Add missing options to ipa-getkeytab man page.Rob Crittenden2010-10-111-8/+20
| | | | ticket 229
* Unenroll the client from the IPA server on uninstall.Rob Crittenden2010-09-203-44/+119
| | | | | | | | | | | | | | | | | Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
* Fix certmonger errors when doing a client or server uninstall.Rob Crittenden2010-09-091-0/+2
| | | | | | | | | | | | | | | | This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
* Call certmonger after krb5, avoid uninstall errors, better password handling.Rob Crittenden2010-05-061-5/+9
| | | | | | | | | - Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode
* Add option to enable pam_mkhomedirs in the IPA client installerrcrit2010-03-191-0/+3
|
* Update available options and descriptions in client man pagesRob Crittenden2010-03-023-14/+50
|
* Fix command-line options convention in ipa-getkeytab man pageRob Crittenden2010-02-191-1/+1
| | | | Resolves #481230
* A utility for removing principals from a keytab.Rob Crittenden2009-12-042-0/+91
| | | | | | | | | | | | When we un-enroll a client we'll do a bit of cleanup including removing any principals for the IPA realm from /etc/krb5.keytab. This removes principals in 2 ways: - By principal, only entries matching the full principal are removed - By realm. Any principal for that realm is removed This does not change the KDC at all, just removes entries from a file on the client machine.
* Add man page for ipa-join commandRob Crittenden2009-10-122-1/+62
|
* Fix some minor man page issues.Rob Crittenden2008-06-041-8/+7
| | | | 438771
* Fix some formatting issues and correct the example.Rob Crittenden2008-06-041-28/+32
| | | | 443009
* Fix typo in ipa-client-install manpage.Rob Crittenden2008-05-141-1/+1
| | | | 446201
* Second half of the redoing how the version is managed.Rob Crittenden2008-05-071-0/+6
|
* Add --permitted-enctypes command and add it to the man page tooSimo Sorce2008-04-081-0/+21
|
* Add some missing man pagesRob Crittenden2008-03-172-2/+59
| | | | 436501
* Add --quiet option to ipa-getkeytabSimo Sorce2008-03-051-7/+21
| | | | | | Return message on success Avoid SASL output from being printed Make sure the man page is up to date
* Compress man pages after installationRob Crittenden2008-02-251-0/+2
|
* Move ipa-getkeytab man page into proper subdirRob Crittenden2008-02-252-0/+69
433878
generated by cgit (git 2.34.1) at 2024-11-15 23:26:21 +0000